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PATENT 

IN THE UNITED STATES PATENT AND TRADEMARK OF I Ki- 
ln re application of: ) 
) 

Hu rsey et al ) Group Art Unit. 2 E3 1 

) 

Application No. 09/912,391 i Examiner. Henmng. Matthew T. 

> 

Filed: 07/26/200] ) Date: 01/19/2007 

) 

For- DETECTING E-MAIL } 
PROPAGATED MAT WARE } 

) 

) 

Commissioner for .Patents 
P.O. Box 1450 
Alexandria, VA 223 1 3-L-S50 

AT TENTION: Board of Patent Appeals and Interferences 

APPEAL BRIEF (37 CF.R. § 41.37} 

This brief is in furtherance of the Notice of Appeal, filed in this case on i 1/16/2006, and in 
response to the Notice of Panel Decision from Pre-Appeal Brief Review, mailed 12 A 9/2006. 



The fees required under § 1 17, and any required petition for extension of time for filing this brief 
and fees therefor, are dealt with in the accompanying TRANSMITTAL OP APPEAL BRIEF. 

This bntT umtains these items under the foikming headings, and in the order set forth beSow {37 
CT R ^ 4 1 J7<ex0) 



1 REM PAR! \ IN INTER LSI 

ii RiT Al ED \PPi At S AND I VI i;Ri ERENCES 

10 ss\vn SOi CLMMS 

IV SI MLS OF VMfcNDMEMs 

V St MM \RV (>r a MMFD SLB.ILT T MATTER 

VI GROUNDS OF RL1EC PiON 10 Bl RV\ \l WED ON APPEAL 



VH ARGUMENT 

Vm CLAIMS APPENDIX 

IX EVIDENCE APPENDIX 

X RELATED PROCEEDING APPENDIX 



The final page of this brief bears the practitioner's signature. 
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I REAL PARTY IN INTEREST (37 C.F.R. § 41.37{c){l)(i)) 

The reai party in interest in this appeal is McAfee, Inc. 
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H RE LATED APPEALS AND INTERFERENCES (37 CF.R. § 41.37(c) (1 )(»)) 

With respect to other prior or pending appeals, interferences, or related judicial proceedings that 
will directly affect, or be directly affected by, or have a bearing on the Board's decision in the 
pending appeal, there are no other such appeals, interferences, or related judicial proceedings. 

A Related Proceedings Appendix is appended hereto. 
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Mi: STATUS OF CLAIMS (37 C.F.R. § 41.37(c) <I ><iii» 

A. TO IAL M MBER OF CI AIMS IN APPLICATION 

Claims m the application dit* 1-4 e>-12 14-20 ami 22-28 

B. STA'l I S Oh ALL TIIL C LAIMS IN APPLICATION 

1 ( hums v\tthdia\\n fiom consuleiation None 

2 Clamis pending 1-4 <v i 2 14-20 and 22-2X 
i Claims allowed None 

1 Claims lejeued 1-4 M2, I i-20, and 22-28 
^ fl, jfms cancelled 5 13 and 21 

C. CLAIMS ON A PPEAL 

The claims on appeal are: 1-4, 6-12, 14-20, and 22-28 

See additional status information in the Appendix of Claims. 
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IV STATUS OF AMENDMENTS (37 C.F.R, § 41.37(c)(l)(iv)) 



As to the status of any amendment filed subsequent to final rejection, an amendment was filed 
10/12/2005 in response to a. final Office Action mailed 5/26/2005, and such amendment was 
entered after the filing of an RCE 
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V SUMMARY OF O AIMED SUBJECT MATTER (37 C.F.R. § 4L37(c){l)(v)) 

With respect to a summary of Claim 1, as shown in Figures I„ 3, and 4, a computer program 
ptoduct operable to e'oiuro! an e-mail client computer to detect e-mail propagated malwate is 
provided The eompuki pmgram product includes e-nun! generating logic which is operable to 
generate an e-mail message (eg see item 4 of Fiuine 1, etc k as well as comparison logic 
operable to compare the e-mail message with at least one of an address book of a sender of the e- 
mati message and one oi more preuoush generated e-mati messages from the ehent eomputet 
(eg see item 12 of Figine > and item >2 of Figure 4 etc ) '\dditfonali\ tdentrfung logic rs 
included that is operable to identify whether ft) the e-mas! message rs being sent to more than a 
threshold numhei of addressees »peeifted within the addie&s book teg see item 14 of Hguie 3, 
etc ) Further, the identifying logic is also operable to identr f\ whether (in the e-mati message 
contains message content having at least a threshold level oi stmilaitr\ to noit-identtcal message 
content of {he pre 1 * rously generated e-m<nl messages being sent to mote than a threshold number 
of addressees specified wnhm the address book (eg see item !2ofhguie 1 etc) In addition 
the identifying logic rs also opetable to identify whether On) the e-mail message contains 
message content having at least a threshold le\el ol similarity to non-identical message content 
ot moie than a thieshold tmmbei of the pies muslv generated e-mail messages te g see stem 42 of 
hgure 4, etc } the identifying lotric is futthei operable to identify the email message as 
potentially cotitaimng malwate if at least one of items {O (p) and nit) rs identified Further, the 
compute) program product comprises tjuaiantme tiueue logic operable to hold the pieviously 
yeneiated e-rnarl messages m a quarantine queue teg see step 28 of f rgure v etc ) for at least a 
predetermined quarantine period prior to being sent from the client computes See, for evimple, 
paac 2, line >0 paac 3, line 14 and page 4, hues 8-12 and hues 24-2° et al 

With respect to a summar\ of Harm 'A as shown m hgures 1 3. and 4 a method of detecting e- 
marl propagated maiware within an e-niatl client computet rs provided In use, an e-mail 
message is generated f e g see item 10 of Hgure > etc ) and the e-mail message is compared with 
at kast one of an address book of a sender of the e-mail message and one or more previously 
generated e-mail messages from the client computet (e g see item 12 of Figure ^ and item >2 of 
Hgure 4 etc } Fuithet, it is identified whether (i ) the e-mail message is berma. sent to more than a 
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thieshoid number ot addressees specified within the address book (e g sec item I ! of Figure >, 
etc) {u) the e-mail message contains message content having at least a threshold level 0} 
similann to non-identical message content of the prevrouslv generated e-mail messages bemg 
sent to mote than a threshold numhei of addressees specified within the addtess book (e g sec 
item 42 of figure 4, etc K and (m) the e-mail message contains message content having at least a 
tlncshold level of simrlautx fu non-identical message content of mote than a fhieshold tiumbu ol 
the prevrouslv genet ated e-mail messages (eg see stem 42 ot hgtue 4, etc > In addition, the 
ematl message is identified as potential i\ comaimng malware if at least one of items 0) (it) and 
uii) is identified Sttll set, piewoush getietated e-tnail messages aie held iii a quatamme queue 
fe g sec step 2S of hgttre \ etc i for at least a piedetcimtned quarantine period prior to being 
sent horn the client computet See for example page 2 % hne *0 page 3. line 14 and page 4 
lines 8- i 2 and lines 24-2" et a! 

With respect to a summan of Claim 17 as shown m hgtttes K ^ and 4 an apparatus ibt 
detecting e-mail piopayated malware within a client computer ts piovtded In use, an e-mail 
geneuitoj ts ope; able to t-enetate an e-mail messaue teg see item 4 ol I iguie 1. etc ) and a 
comparator is operable to compare the e-mail message with at least one of an addscss hook of a 
sender of the e-mail message and *itu 0i mote prevtoush generated e-mail messages from tin. 
client compuiei (eg see item 12 of Figuie \ and item 32 of hguie 4 etc ) AddittonalK a 
malware identifier is operable to tdentit\ whether (i) said e-mail message is bernu sent to mote 
than a ihtcshold number of addicssees specified wrthin the address book (eg see item I 1 of 
figure \ etc ), (it) the e-mail message contains message content having at least a threshold lex el 
of simiiatitv to non-identical message content ol the pievrouslv geneiated e-mail messages being 
sent to more than a tbieshold number of addiessees specified within the address hook <e g see 
item 42 of hguie 4 etc ) and (tti) the e-mail message contains message content ha\ my at least a 
threshold level of sinnlants to non-identical message content oi more than a threshold number of 
the previously generated e-mail messages {eg see ttem 42 of 1 iguie 4 etc ) In addition the 
maiwate identifier is futthei opetable to identifv the email message as potential^ containing 
malwate if at least one ot items (0, fji), and {ui) ts identified Htrthet, a quaiautine queue ts 
opetable to hold the pteviouslv generated t-mail messages tn a quarantine queue re s set step 28 
of} iguie 3 etc ) foi at least a piedetenmned quarantine period pnoi to being seiit fiom the client 
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computer. See, for example, page 2, line 30 - page 3, line 14; and page 4, lines 8-12 and lines 
24-29 ei al. 

Of course, the above citations are merely examples of the above cl aim language and should not 
be construed as limiting in any manner. 
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VI GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL (37 C.F.R. § 
4L37{c)(l){vi)) 

Following, under each issue listed, is a concise statement setting forth the corresponding ground 
of rejection. 

Issue # i: The Examiner has objected to the specification as failing to provide proper antecedent 
basis for the claimed subject matter. 

Issue # 2: The Examiner has rejected Claims 1-4, 6-12, 14-20, and 22-28 under 35 U.S.C. 1 12, 
first paragraph, as failing to comply with the written description requirement 

Issue # 3- The Examiner has rejected Claims L-3. 7, 9~t U 15, 17-19, 23. and 26 under 35 U.S.C. 
! 03(a) as being unpatentable over Bates et al (U.S. Patent No. 6.779.021K in view of Marsh 
(U.S. Patent No. 6,763,462). 

issue -* 4 3 he Kammei has tejeaed Claims 4 o 12 54 20 22, and 2~~2S undei I S C 
iOiia) as being unpatentable o\er Bates et ai (I S Patent \o o 77^02!) jn wew of Marsh 
(I S Patent \o o7e>*4t>2) and futthei in stew of Bates ct al (US Patent N<> o,?S\7>2) 
(hereinafter Bates2). 

Issue ~ ^ The Pvaimnei has lejeUed Claims S, |(i and 24 undei 3 s CSC 103(a) as being 
unpatentable osei Bates et ai ii S Patent No o 77O02H in sseu of Massh (U S Patent No 
6,~o n462}, and fusthei in \ sew of KouznctMA (U S Patent No o "2s, Ml) 

Issue ** 6 The Lxamsner has rejected Chum 25 amies 35 f SC 103(a) as being unpatentable 
o\t-i Bates et ai (I S Patent No 6 "7^02 \ \ in \ie\s of Marsh* I S Patent No 6,7o3,4o2), and 
further m \ie\s of Radatti (l S Patent \o <\7M,4<>7) 
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VII VRG 1' >1 K \ V (37 C.K R. § 4 U7<e)< 

1 he claims of the groups noted below do not stand or fail togethet In the pit-sent seajon, 
appellant explains whs the claims of each gioup att- hehesed to be sepaiatcis patentable 

issue g 1 : 

1 he bxaminer has objected to the specification as tailing to pro\ ide propei antecedent basis feu 
the claimed subject matter. 

1 he I \ammei has amied that |t|he claim limitations legutdmy identifying whethei ft) in) and 
(ii?) in combination is not »uppoitcd hs the specification * appellant tespeetfulh disagiees and 
points om that pdge f\ hues 12-13 ot the specification states tlut "the anti-suus mechanism 6 can 
dppl\ the techniques desctihed heiemaftot to icsist mass mailing malwaie 1 and also notes that 
pav>e l) lines 21-22 of the specification states that 1 the yeneial purpose computer 200 opetatmg 
under eontiol of a suitable computet piogram mas perform the abo\e desctibed techniques" 
(emphasis added) F<n these and 'Uhei teasoiis suppoit foi the combination of <0 in) and tnt) 
claimed m each of the independent claims is ptesuit Ol eouise stick Citations ate set foith In 
was of example on Is and should not be construed limiting to the claims tn am mannei 

Issue fr- 2: 

The Kdimtiei has rejected Claims j-4 o-l2. 14-20, and 22-28 mulct ^ I S( M2 thst 
panigniph, as failing to complv with the wntien deseuption requuement 

i ho/if I t 'Uums /- /, 6-12 t f~20, and 22-2 ^ 

The \ \ammej has artmed that 'there ts suppoit foi each of (i). ni) and fits) in the alteinatne. as 
shown in page " line Hj page i< itne 15 of the ptesent specification, but nexet as a 
combination Appellant Kspeetfulis disagrees and points out that pj.ee <\ hncs 12-1 i of the 
specification states that the anti-suus mechanism o can anpls the techniques described 
hetemafter to lesist mass mailing malwaief ami also notes that page °, lines 21-22 of the 



specification states that v "the general purpose computer 200 operating under cuius ui of a suitable 
con tpntei [>i og ran i n \ a^....i.\eribi m... tjje (emphatis added) 1 1 tus . 

.support foj the combination of (it, (lit and (iiO claimed in each of the independent claims is 
present Of course, such citations art- set forth by way of example oni\ and should not be 
construed limiting to the claims in am maimer 

Issue # 3: 

The F\amniet has Kicked Uaims M ~ u-11, I* l~-p-> 2>, and 26 wide: *M St KHtaWis 
besng unpatentable o\er Bates ct a! tT S Patent \o o,"?VOI), in uew of Marsh f E ' S Patent 
No. 6,763,462). 

Group 1: Claims 1-3. 7. 9-11, 15, 17-19. and 23 

in order To establish a prima facie case of obviousness, three basic criteria must be met. First, 
there must be some suggestion or motivation, either in the references themselves or in the 
knowledge generally available to one of ordinary skill in the an, to modify the reference or to 
combine reference teachings Second, there must be a reasonable expectation of success 
Finally, the prior art reference (or references when combined) must teach or suggest all the claim 
limitations. The teaching or suggestion to make the claimed combination and the reasonable 
expectation of success must both be found in the prior art and not based on appellant's 
disclosure. In re VaeckMl F.2d 488.. 20 USPQ2d 14.38 (Fed fir. 1991) 

With respect to the third element of the prima facie case of obviousness, and particularly with 
respect to the independent claims, the Examiner has relied on Col. 9, lines 3-19 from the Bates 
reference to make a prior art showing of appellant's claimed "comparison logic operable to 
compare said e-mail .message with at least one of an address book of a sender of said e-mail 
message and one or more previously generated e-mail messages from said client computer" (see 
this or similar, but not necessarily identical language in the independent claims). 



Vppellant respecttuiK notes thai the excerpt trom Bates tehed on hv the Lxavmner simplv 
teaches comparing the new e mail source address \\ith the souut addresses ot t ma?! iteened 
durum a designated H time period (emphasis added) Citrtb m Bdtes a new e-ntdil source 
add) ess is onls complied with e-mail ret. Lived which does not meet comp irejmgj snd e-mail 
message with at least one of an uldress boot of a sender ot said e mail message and one or mote 
pK\iou-»b LtitcHted email messages bom said client computer a here said preuoush 
generated e-mail messages [die held) in <i quai mtiiii. queue tor at least r pi edetct mined 
quarantine period pnoi to being scut from said client computer m the <.onte\t speeiiuails 
claimed U\ apptllant emphasis added > 

Vddition lib AJth respect to tht independent ci urns tht 1 xamtner has relied on Col t- > line 6 1 
Col K> line 10 hom the Bates nteicnce to make a pt tot ait showing ot appellant s darmed 
idenhhmg logic operable to tdennt\ whether said c-mril message conmns mcssige tortivnt 
basing at least a threshold le^ el ot simrlantx to nou-identrca! message content ot said pre\iouslv 
geneiated c mad messages being sent to mott than a threshold nunihei ot addressees sptciired 
within said address book {see this oi similar hut not ticeessauK identical language in the 
independent claims >. 
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\ppeilant iespectfullv assetts the excerpt fiom Bates jehed on b% the I xammei tuereb discloses 
' compannuthe content of e-mails that ate the same sue «is the new e-mail with the content of the 
new e-mail" {emphasis added) Howevei appellant claims a technique vvhete \aid c-marl 
message contains message content having at least a threshold lexei of sitmiauts to non-identical 
message content oi. said preuousls genu a ted e-mail messages hung sent to mote than a 
thieshold numbei of addiessees specified within said addtess hool," in the context claimed 
(emphasis added) \ppellam notes that simplv nouheie in Bates is these am disclosure of "e- 
mad messages heme sent to moie than a thieshold nuntbei oi addsessees specified v\ithm said 
add) ess book, 1 m the context claimed bs appellant (emphasis added) 

-Vdditionalh, appellant icspectfulb points out block ( >K in hg 4 A of the Bates icierenee, winch 
'depicts a deteimmation as to whether or not the numbei ofiiscts icceivmg e-mail tiom the same 
souice address dining the l B 1 time penod is gieatei than a designated 1 0" numbei of recipients" 
(Col f >, lines °-!2) in Fty, 4A, if the deteimmatiun in block ( )8 Jesuits m an affirmative, ot 
" Vf-S," lesuit, the piocess skips block 1 14 , which 'depicts a determination as to whether or not 
substantial similarities m content ate found between the new e-mail and a paitjculai amount of 
same sized e-mail" {Col it* hues 1-4) and instead proceeds dnecth to block 120 which 
'illustrates mailing the new e-mail as predicted spam" (Col 10 lines 17-18} { leaib this fails 
to meet and e\en /it/i/?o onm from appellant s claimed identifving logic opetable to tdentifv 
whfthei said e-mail message contains message content having at lea-.t a tineshoki lescl 
simtlaisrv to uon-identtcal message content of said pievsotislv genet ated e-mati messages being, 
sent to moie than a thieshold numbei of addtessees specified wsthm said adds ess book, as 
claimed (emphasis added). 

With i e spec l to the first element of the ptwui fix is case of obviousness and m paiticulai the 
obviousness of combining the aforementioned references the i Aammei has atgued that it would 
have been obvious to combine Bates with \iatsh because the oidmatv peison skilled m the ait 
would have been motivated to punide means of detecting viral spam as suggested b\ Maish, as 
will as gi\ mg the usei the final sax m what is to be done with dekcted <■ irai spam [and that) in 
this combination it would be obvious that the messages would be held tn a quaiantme' for a 
predeteunmed amount ot tune pnot to sending in oidej for the usei to have the option of deleting 
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the messages detected as being viral spam without sending the messages. " To the contrary, 
appellant respectfully asserts that it would not have been obvious to combine the teachings of the 
Bates and Marsh references, especially in view of the vast evidence to the contrary. 

For example, the Bates reference teaches that l! [i]n accordance with the present invention, 
multiple e-mails are received at a network server intended for multiple clients served by the 
network server'' (see Abstract) and that ~[b}lock 92 depicts a determination as to whether or iC 
not the number of recipients of the new e-mail is greater that a designated "'A" number of 
recipients. ..[where] a rule designating the "A" number of recipients is preferably included in 
spam filtering rules for the server' (see Bates Ooi. 8, fines 56-60). On the other hand, the Marsh 
reference teaches that ' the virus detection utility i04 may be an add in program organized into a 
conventional format such as a plug-in for the e-mail application 102" where "[fjor example, the 
virus detection utility 104 [is] stored as a dynamic link library (DLL) file and. . .inc.lude[s"j 
routines to execute in conjunction with, the e-mail application 102 to perform specific 
operations'" {see Marsh Col. 2, lines 26-3;?}. 

Clearly, in Marsh, the virus detection utility runs on clients in conjunction with email 
applications located on such clients, and utilizes chent-bas^ (e.g. address books), 

whereas, in Bates, a server is used to receive emails sent to clients and to predict undesirable 
emails utilizing rules stored on the server. Thus, Marsh clearly teaches away from Bates. 
Appellant respectfully points out that it is improper to combine references where the references 
teach away from their combination. In re Gras.xetfi, 713 P. 2d 732. 743, 218 USPQ 769, 779 
(Fed. Circ. 1983). 

Appellant respectfully asserts that at least the first and third elements of the prima faae case of 
obviousness have not been met, since it would be wiobvious to combine the references, as noted 
above, and the prior art references, when combined, fail to teach or suggest all. of the claim 
limitations, as also noted above 



Group M2: Claim 26 
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Wiih respect to dependent Claim 26, the Examiner has relied on Col. i .. line 66 - Col 2, line 7 in 
Bates to make a prior art showing of appellant's claimed technique '"wherein said e-mail message 
is identified as potentially containing malware when said e-mail message and said previously- 
generated e-mail messages share a common attachment;' 



data storage space on servers and for ISPs unsolicited mail reduces 
customer sa lis f action . In addition, unsolicited xaaii r&ay includes 

Appellant respectfully asserts that such excerpt from Bates only discloses that "'other destructive 
attachments. . can easily be transmitted within a server upon activation of a single client within a 
network." Clearly, only mentioning an attachment, as in Bates, does not even suggest 
appellant's specific claim language., namely that '"said e-mail message is identified as potentially 
containing malware when said e-mail message and said previously generated e-mail messages 
share^.commonjttac^^ as claimed (emphasis added). 



Again, appellant respectfully asserts that at least the first and third elements of the prima facie 
case of obviousness have not been met, since it would be iwobvious to combine the ref erences, 
as noted above, and the prior art references, when combined, fail to teach or suggest all of the 
claim limitations, as noted above. 



Issue ft 1' 



The Examiner has rejected Claims 4, 6, 12, 14, 20, 22, and 27-28 under 35 U S C 103(a) as 
being unpatentable over Bates et al. {U.S. Patent No. 6,779,021 ), in view of Marsh (U.S. Patent 
No 6,763,462), and further in view- of Bates et al. {U.S. Patent No. 0,785:7.32) (Bates2). 



Group !: Claims 4, 6, 12, 14, 20. and 22 



Appellant respectfully asserts that such claims are not met by the prior art for the reasons argued 
with respect to Issue #3, Group #i . 
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Again, appellant respectfully asserts that at least the first and third elements of the prima facie 
case of obviousness have not been met, since it would be umbvious to combine the references, 
as noted above, and the prior art references, when combined, fail to teach or suggest all of the 
claim limitations, as noted above. 

Group #2; Claim 27 

With respeet to dependent t hum 2" 1 the I \aminet his tehed on Col <S pa.ia.yia.ph I m EJatesZ to 
in, ike a pitoi art shoviiim ot appellant s claimed teehtmitte viieiein a message is sent to a 
muiwue compute! program proxider to pioudt, a running t>f new mah\ase outbreaks when said 
e-mad message is identified as potential I \ containing malwaie 



\ppellant respetftuih asserts that the e\tetpf itom Rates2 tehed upon bv the F\amiuet moioK 
dj st loses that [tjl a utus is found the web ehetit is notified of the wtus {step -i^O) and that 

the appiopnate authorities ma\ be notified ot the virus (emphasis added) 1 bv>e\ei the meje 
dfsclosuit that it a viius is iound the appropriate authorities mas bt notified the \uus at. in 
Bates2 simpK tails to e\cn suggest a technique nhticm a message is sent to a malwatc 
eomputer piomam pumdei to ptoudc a u.» rung of new tnalwaic ouibicaks hIkii said e-mail 
message is identified as poteimads containing maiuare as claimed b\ appellant rernphasis 
added) CleaiH the mere drsjosuie ot tiotit\ma the appreciate authotititb ot the found virus 
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as in Bates2, simply fails to suggest "provkifmg] a warning of new mahvare outbreaks/' in the 
manner as claimed by appellant (emphasis added; 

Again, appellant respectfully asserts that at least the third element of the prima facie case of 
obviousness has not been met, since the prior art references, when combined, fail to teach or 
suggest all of the claim limitations, as noted above. 

Gr oup 113: Claim 28 

Wjth respect to dependent Claim 2S the Lxammer ha\ i el led on ( ol pdiagiaph 1 m Bates2 
(reproduced abose) to mal-e a pnoj art showing of appellant s claimed technique 'wherem saul 
message to »ajd malware computer ptogram pjoxidei includes a eopv of said e-mail message " 

Appellant tespeutnllx asserts that the excerpt from B,ues2 jelied upon b\ the E \armnei met eh 
dtsdoses that [r]f a \uus js iound the web client ts notified of the \irus tstep 4*0} and that 
'the appjopnate authomies max be notified of the mris (emphasis added) Howexei the 
geuctal diselosute that if a \ttus is found, the apptopuate authotuies mav be notified of the \ulis , 
as hi Bates2 simph fails to e\en suggest a speutk technique wheietn said message to said 
malwaie computet pi oat am pjo\idej includes a copy of said e-mail mess^t?,' as claimed b\ 
appellant ^emphasis added) ( learh . the mere disclosure of notih mtr the appropriate authorities 
of the found viais as m Bates2 sfmph fads to ,sug»cst that the 'message to said malware 
computet piogram ptoxidei includes a eopi <tf said e-mail message" m the mannei as claimed 
by appellant (emphasis added). 

Again, appellant respectfully asserts that at least the third element of the prima facie case of 
obviousness has not been met, since the prior art references, when combined, fail to teach or 
suggest ail of the claim limitations, as noted above 



Issue # 5; 
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The fxammet has tqedui Claims 8, 1<\ and 2 \ nndet ^ I SC 103(a) as being unpatentable 
o\ei B:iU,s U al (1 N 1 atcni \u o "70 <)2U, tn\iu of Marsh tL' S Patent No 6 ~o3 4o2) and 
furthei in Mew of (vm/netsos H s Patent No o,~25,>77) 

< //<w/' /■ ( 'toons <s M. cwJ 

Appellant iespectfufh asseih that such datms aie not met b\ tijtr pnoj art lot the seasons argued 
with respect, to Issue #3, Group *l. 

Vgam appellant respectt'uSis asseits that at least the third dement of the puma /iku case of 
ohsiousness has not been nut. since the prior ait tefesenees when combined, fail lo teach oi 
suggest all of the claim limitations, a» noted above 

Issue o: 

'1 he f \ammet has i ejected ( hum 2^ unda ^ I s C io Ma) as besnu unpatentable o\e; Bales a 
al U s Patent No <>,""?<) 021), in \sew of Nlatsh {( S latent No <>,7o>, !o2), and iuithei sn 
sieu ol Radatn (T S Patent No o 70V1O 

With tesped to dependent Ohitm 2S, the fxaminer has relied on Col. !, Sines 36-48 of the 
Radatn i detente to make a ptiot af t showing of appellant's claimed technique '"wherein said e- 
nia.il message is identified as- potentialiv containing malware only if said e-mail message includes 
an executable element, t<> speed puvessmg " 
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Speciikaily, appellant notes that the Examiner has argued mat "Radatti teaches that only 
executable code may contain malware " Appellant respectfully disagrees and points out that the 
excerpt from Radatti merely discloses that "[ajll binary executables. turn-viewed shell scripts, 
and source code accessed from an external network ma^contam worms, viruses, or trojan 
horses" and that " outside binary executables , shell scripts, and scarified source code may enter an 
kMoiajjiet^ < emphasis added) 

Clearly, disclosing that binary executables may contain worm, viruses, or Trojan horses, as in 
Radatti, does not suggest that "only executable code may contain malware," as noted by the 
Examiner (emphasis added) Furthermore, simply disclosing that executables may contain 
w orms, viruses, or Trojan horses, as in Radatti, does not specifically teach any sort of e-mail, let 
alone meet appellant's specifically claimed technique "wherein said e-mail message is identified 
as potenl.i ally cont ai ni ng m al ware only if said e-mail message includes an executable element to 
speed processing " as claimed by appellant (emphasis added). 

Appellant respectfully asserts that at least the third element of the prima facie case of 
obviousness has not been met. since the prior art references, when combined, fail to teach or 
suggest all of the claim limitations, as noted above. 

In view of the remarks set forth hereinabove, all of the independent claims are deemed 
allowable, along with any claims depending therefrom. 
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VIII CLAIMS APPENDIX (37 C.F.R. § 4i37<c)<l)(viii)) 

The text of the claims involved in the appeal (along with associated status information) is set 
forth below: 

i . (Previously Presented) A computer program product operable to control an e-mail 
client computet to detect e-mail ptopagated malwaie said computet ptogiam pjoduct 
comprising: 

e-mail generating logic operable to genetate an e-mail message 

compaitson logic operable to compare said e-mati message v\ith at least one of an address 
book of j sendes of said e-mail message and one or mote pro musIs geiieiated e-mail messages 
ftom saui client computer and 

identifwng logic operable to idenuf\ w bethel 

(0 said e-mail message is being sent to moie than a thieshold numbei of 

addressees specified \Mthm satd addiess hooi- 

fu) satd e-mail message contains messaue content hawnii at least a thtesliold k\el 

of similar. n\ to non- identical message content of said piexiousK ge nesated c-mad 

messages hung sent to mote than a thteshoid numbet of addressees speufred withm sard 

address book: and 

(itt) saitl e-mail message contains message content ha\mg at least a thteshoid 
level of suniiautN to non -identical message content of more than a threshold number of 
said pieviousK generated e-mati messages, 

wires em said identify tng logic is Imthef opetable to identtfv said email message as 
poteutiaih containing mahsate if at least one of items (i ), (n ), and < m ) is identified, and 
quarantine queue k>gic opeiable to hold said pieuousK geiteiated e-mail messages m a 
quai amine queue for at least a predetetm tried quarantine pet tod pnoi to being sent ftom said 
client computer. 

2 (OtmtnaD \ computer prom am ptoduct as claimed in claim 1 wherein said e-mail 
message specifies a nhualitv oi addtessets said comparison logic beim opetabk to sompatc 
satd pluralttA of addtcssees with satd e-mati addtess book to dcteiminc if satd at least d threshold 
number of addiessees has been eweeded 



3. (Original) A computer program product as claimed in claim 1, wherein said at least a 
threshold number of addressees is specified as a proportion of addressees within said address 
book. 

4. (Original) A computer program product as claimed in claim 3, wherein said proportion 
of addressees within said address book is user specified. 

5. (Cancelled) 

6. (Previously Presented) A computer program product as claimed in claim I , wherein 
said quarantine period ih usei specified 

7 tOuginab A computer piogram ptudttci as claimed m claim 1 composing 
confum.moii mpui logic openiHe when said e-mai! message is identified as potential! \ 
eontainmu maiwate to venerate a use; message seckmu a confirmation input ftom a use; of said 
client computet betoic said e-mail message is sent 

8 (Ouginalf -V computer piogram ptuduct as claimed m claim 1 composing 
admmrstratoi waimim logic opeiable when said e-mail message ts identified as potennalh 
containing malwaie to send an admmistiatoi whining message to an administrate of said diuu 
computet regatchng said e-mail message 

9 (I'lesiousiv Piesented) A method of detecting e-mai! ptopagated mahvase withm an e- 
tnaii client computer, said method eompnsiny the steps of 

generating an e-mail message, 

companng said c~mai! message with at least one oi an addtess hook of a sender of saul e- 

maii message and one or more previously generated e-mail messages from said client computer; 
identifying whether: 

(i) said e-mail message is being sent to more than a threshold number of 
addressees specified within said address book; 
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fti } said e-ma.il message contain;* message content ha\ ing at least a thteshuid lex ei 
oi similantx to non-identical message (.ontuit oi said piewouslx generakd e-mail 
messages being sent to more than a threshold numbej of addiessees .specified within said 
address book: and 

fito said e-mail message eontams message content iumny at least a thieshold 
level ol similantx to non-identical message content ol more than <i threshold number uf 
satd prextoush geneiated e-mail messages. 

wherein said email message us identified as potent! ail\ containing malxsare if at 
least one oi items (i } (n } and (m ) is identified, and 

holding said pteaousK generated e-mail messages in a tiuaiantine queue toi at least a 
predetermined <.|uutanfjne peitod prsor to being sent fiom said diem computet 

fO (Original) A method as claimed m daim l ) uliuem said e-mati message specifies a 
piuiaiux of addressees, said pluiaim of addressees being compaied \xith said e-mail address 
book, lo determine it said at least a thieshold mimbei of addressees has been exceeded 

i 1 {Oisgmal ) \ method as claimed in claim u , whcicm said at least a threshold numbei 
of addressees is specified as a pioportion of addressees vxithm said addiess book 

12 tOngin.il) \ method as claimed in claim S L wherein said proportton of addressees 
within said address book is user specified. 

13. (Cancelled) 

14. {'Previously Presented) A method as claimed in claim 9, wherein said quarantine 
period is user specified. 

i 5. {Original } A method as claimed in claim 0, wherein when said e-mail message is 
identified as potentially containing ma! ware, then a user message is generated seeking a 
confirmation input from a user of said client computer before said e-mail message is sent 
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to (Original) \ method as c-laimcti in claim °, ■wherein when said e-mail message is 
f den tilled as potentially containing malware then an admimstiator wanmig message is sent to an 
administrator of said client computer iegatding said e-mail message 

!7 {PreuoitsK Presented) Apparatus for detecting e-mail propagated malwaie within a 
chent computet, said apparatus comprising 

an e-mad generator operable to generate an e-mail message. 

a compandor operable to compare said e-mail menage with at least one of an address, 
book of a sender of said e-mail message and one 01 more previously geneiated e-mail messages 
from sard client computer; 

a malwaie identifier opetahie to identtiX w nether 

(?) said e-mail message is heing sent to more than a threshold number of 

addressees specified within said adds ess book. 

(u) said e-mail message contains menage content hawng at least a threshold lex el 

of similarity to non-identieal message content of .said piewousiy gene; ated e-mail 

messages being sent to moie than a threshold numbei of addressees .specified within said 

address book: and 

fail said e-mail message contains message content haung at least a threshold 
le\ei of similar tt\ to non-identical message content of more than a threshold number of 
sard previously generated e-maii messages. 

wherein said malware identifier is further operable to identify said email message 
as potentiaih containing maiware if at least one of items (i) (it), and uu) is identified, 
and 

a quarantine queue operable to hold said piesjousK generated e-matl messages in a 
quarantine queue tor at least a predetei mined quarantine period prior to being sent fiom said 
client computer. 

18 (Original) -\ppaiatus as claimed in claim 17. \s herein said e-mail message specifies a 
plurality of addressees, said eompantor being operable to com pate said plutalin of addressees 
with srfid e-mail addtess book to determine if said at least a threshold number of addtessees has 
been exceeded. 
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t 4 ' {PtcstousK Pteseuted} Appd.ta.tui. as claimed m claim 17 wheiem said at 1 edit a 
thteshuld numbej of addiessees is specified as a propottion of addiessees within said address 

book. 

20. (Original) Apparatus as claimed in claim 19, wherein said proportion of addressees 
within said address book is user specified. 

21. (Cancelled) 

22. (Previously Presented) Apparatus as claimed in claim 17, wherein said quarantine 
period is user specified. 

2 > {Original} Apparatus as claimed in claim I "* comprising a continuation input unit 
operable when said e-mail message is identified as potential!} containing ma! ware to generate a 
usei message seeking a confirmation input fiom a usei of said client compute! befote said e-mail 
message is sent. 

21 {Original} Appaiaius as daimed in claim I "* compusmg an administrator warning 
unit opetahie whui said e-mail message is identified as potentialh containing maluate to send 
an ddnnnistiator warning message to an administrate! of said client computet iegardmg said e- 
mail message. 

2^ tPreuottsh Picscnted) A computet ptogtam product as claimed in claim i uheieni 
said e-mail message is identified as potentially containing malwaie onls if said e-mail message 
includes an executable clement to speed processing 

20 {PtcMOUsix Presented) \ computer ptogram ptoduet as claimed in claim K^heiem 
satd e-mail message is identified as potenbalh containing malwate when said e-mail message 
and said pjeviousK generated e-mail messages share a common attachment 
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27 {PtcstousK Pi evented) A computer papain pioduet <u> planned meidim 1, nheiem a 
messdgo is sent k> d nudvsdie computet pioiiiam pioudei to punido d wdumm of new nwihwiiL 
outbreaks wnen j>ajd e-mar! message is identified as poteiitialK containing malwaie 

{PreuousK Presented) \ computet progtam pioduct as claimed m chum 27 wherein 
;>aid messrftit. to said nidi wait* computet piogram prouder includes a cup\ of satd e-mati 

message. 



-27- 

IX EVIDENCE APPENDIX (37 C.F.R. § 41.37{c){l)(ix)) 

There is no such evidence. 
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X RELATED PROCEEDING APPENDIX (37 C.F.R. § 407(c)(l){x)) 

N/A 
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In the e\ent a telephone cotnusafion would expedite, me ptuseuition oi f hi s application the 
LX.imtnej ma\ jeaeh the undersigned at ( 108) f >?l-2^7} Fot pa\ment ot\in\ additional fees due 
ui connection with the tiling of this paper, the Commissioner is aurhoi i/cu to charge such fees to 
Deposit Account No ^O-I^i (Oidei Nn N\UP4»O-'0| 0*9 01 » 

Respectfully submitted, 

Bv . /KEVINZILKA/ Date . January IS, 2007 

Kevin J. Zilka 
Reg. No. 4 i ,429 

Zilka-Kotab. P C. 

PO Box 72 1 120 

San Jose. California 9> \ 72-1120 

Telephone' (408)971-2573 

Facsimile: (408)971-4660 



